Salesforce

OneTrust Cookies

« Go Back
Information
OneTrust Cookies
UUID-2dc719a8-4be5-8d16-1dc8-c7b4147b88e0
English
Checked
Content

OneTrust cookies are first-party cookies, unless otherwise specified, with a path set to the domain scanned and associated with your banner script. These cookies are dropped when the OneTrust Banner is integrated and are necessary for it to function. Each OneTrust cookie is dropped in a particular scenario explained below in detail.

Note

There is a cookie attribute named SameSite, which allows developers to explicitly declare the intent of a cookie’s scope. OneTrust Cookies are set to SameSite Lax. For more information, see Setting SameSite Cookies.

HttpOnly is never set for OneTrust Cookies due to the nature of the HttpOnly attribute. If this attribute is set, the cookie will not be accessible to the JavaScript.

OptanonConsent

This first-party cookie fires on a website when the OneTrust Banner CDN is deployed on that site. The consent status of a visitor is indicated using the first party OptanonConsent cookie.

When test scripts are placed on any site, the OptanonConsent cookie is dropped on the browser and is written to the domain where scripts are placed, not necessarily the domain for which the script was generated.

Example Scenario

The website onetrust.com is scanned in the OneTrust tool. The test scripts for onetrust.com are placed on a different website, onetoso.com. Notice that when test scripts are leveraged, the cookie is written to the domain where it is deployed, in this scenario it is onetoso.com.

optanon1.png

Below, the Network tab shows that the domain scanned in the tool is onetrust.com and the ScriptType utilized on the page https:onetoso.com/domain1.html is TEST.

optanon2.png

When production scripts are placed on a site, the OptanonConsent cookie is dropped on the browser and is written to the domain for which the script is specific to. In this scenario, if the domain scanned is onetrust.com and production scripts are placed on the live website (www.onetrust.com) and/or its sub-domains, the cookie is written to the root domain (.onetrust.com).

optanon3.png

The below network call [data domain script].json provides information in detail.

  • Domain is the website scanned in OneTrust tool.

  • ScriptType mentions whether test scripts/production script is utilized on the current website.

Every domain scanned in the OneTrust tool will have a unique data-domain-script ID associated. The network call [data domain script].json will be generated with that data-domain-script ID associated with the scanned domain.

optanon4.png

The value of the OptanonConsent cookie can be decoded within the Developer Tools section of your browser by checking the Show URL decoded box for a cookie value.

optanon5.png

Decoded Example Cookie

isGpcEnabled=0&datestamp=Mon+Mar+27+2023+22:48:10+GMT-0400+(Eastern+Daylight+Time)&version=202303.1.0&browserGpcFlag=0&isIABGlobal=false&hosts=&consentId=6fcfe4fe-8de9-4101-bdf9-5dad0faf2611&interactionCount=0&landingPath=https://onetoso.com/domain1.html&GPPCookiesCount=1&groups=C0001:1,C0003:1,SSPD_BG:1,C0004:1,C0002:1&geolocation=US;MI&AwaitingReconsent=true

Field

Type

Description

isGpcEnabled

Integer

Note

This field is available from version OneTrust 6.16 and onwards.

Indicates if the Global Privacy Control signal is enabled for a specific category within a geolocation rule group and if browser GPC is enabled.

  • 0 = browser GPC is enabled/disabled, and GPC is not setup for any category in the geolocation rule group.

  • 1 = browser GPC is enabled, and GPC is enabled for any category in the geolocation rule group.

For more information, see Configuring Geolocation Rules.

For more information, see Leveraging the Global Privacy Control Signal.

datestamp

Date

The date and time when the cookie was created.

Note

This will be updated on every page load.

version

String

The version of OneTrust that created the cookie.

For more information, see Restoring or Publishing Previous Script Versions.

browserGpcFlag

Integer

Note

This field is displayed for versions 202303.1.0 and above.

Indicates whether the GPC signal on a user's browser is active (1) or inactive (0).

isIABGlobal

Boolean

Note

From version OneTrust 6.22 and onwards, the value is set to false as Set Global EU Consent has been deprecated by IAB Europe Transparency and Consent Framework.

Will be true when the Set Global EU Consentsetting is enabled in the geolocation rule.

Set Global EU Consent is a setting within geolocation rules associated with the TCF 2.0 Framework.

For more information, see Configuring Geolocation Rules.

consentId

String

The transaction number of the consent submission, also known as data subject ID or receipt ID.

Note

You must enable the Capture Records of Consent setting in the template's geolocation rule in order for the consentId string to populate.

For more information, see Enabling Consent Logging and the Cookie Consent Dashboard.

interactionCount

Integer

The number of the site visitor's interactions with the Banner or Preference Center.

Note

You must enable the Capture Records of Consent setting in the template's geolocation rule in order for the consentId string to populate.

For more information, see Enabling Consent Logging and the Cookie Consent Dashboard.

LandingPath

String

Used for implied consent purposes to determine if the page matches the page the site visitor initially visited.

GPPCookiesCount

Integer

Indicates the number of Global Privacy Platform (GPP) cookies on a browser. Ideally, this is always 1.

If the GPP string is increasing and the cookie character limit exceeds 4000 characters, then the GPP string is separated into two cookies. ƒ

For more information, see Global Privacy Platform: Detailed Overview.

groups

Object

Provides the cookie category and the consent status for that category.

  • 0 = No Consent

  • 1 = Consent Given

hosts

Object

Provides the host and the consent status for that host.

  • 0 = No Consent

  • 1 = Consent Given

AwaitingReconsent

Boolean

Will be true if the setting Do you require users to re-consent? is enabled while publishing the script.

For more information, see Publishing and Implementing Cookie Consent Scripts.

geolocation

String

The geolocation of the site visitor.

Format: [country code];[state code]

Note

Rules in addition to a global default rule must be configured in the geolocation rule group in order for the geolocation string to populate. For more information, see Configuring Geolocation Rules.

OptanonAlertBoxClosed

When consent is given or a necessary user interaction is performed per configuration, the script sets a first party cookie called OptanonAlertBoxClosed.

User Interactions on the Banner and Preference Center

User Interaction

Source

Accept All

Cookie Banner

Reject All

Cookie Banner

Close

Cookie Banner

Accept All

Preference Center

Reject All

Preference Center

Save Settings

Preference Center

This cookie is used to determine if a visitor should be shown the Banner. It is persistent and has a default lifespan of one year.

Note

The frequency at which you require your users to reconsent (the cookie's expiration) is determined by the Reconsent will occur after field in Geolocation Rules. For more information, see Configuring Geolocation Rules.

When OptanonAlertBoxClosed is dropped on a browser, it indicates an interaction from the user and that the banner will not be shown until the expiration of the cookie.

optanonalertboxclosed1.png

For example:

  • Value of OptanonAlertBoxClosed: 2023-02-27T15:26:56.183Z

  • Expiration of OptanonAlertBoxClosed: 2024-02-27T15:26:56.000Z

Once the OptanonAlertBoxClosed cookie expires and the value of OptanonConsent is reset completely to the default preferences, surfacing the Banner again for the user to interact:

Scenario 1

Show Banner is disabled in the geolocation rule, and the Preference Center is surfaced via footer link:

  • OptanonAlertBoxClosed fires when a user provides explicit consent on the Preference Center.

    Note

    If a user clicks the close button (X) on the Preference Center, navigates to a different website, or closes the browser tab, the transaction type Not Given will be recorded.

Scenario 2

Show Banner is enabled in the geolocation rule.

  • OptanonAlertBoxClosed fires when the user provides explicit consent on the Banner or Preference Center as well as when the user clicks the close (X) button on the Banner or Preference Center.

    Note

    In an ideal scenario, once a visitor interacts with the Banner or Preference Center, OptanonConsent and OptanonAlertBoxClosed cookies are valid for one year as configured by default in the Geolocation Rule Group. But if a visitor manually deletes these cookies or clears the cache on their browser, the OneTrust cookies are deleted, and the Banner is presented to the user to interact with again.

    Similarly, site visitors who use Safari or iOS to access your website will begin to see the cookie Banner and will be prompted to make preference selections every seven days. For more information, see Intelligent Tracking Prevention 2.1.

usprivacy

This cookie is dropped on a browser when the IAB CCPA script is deployed on your site. This cookie is read by third-party vendors to action consent.

For more information, see IAB CCPA: Configuring the US Privacy String with Cookie Consent.

Position

Values

Description

Version

Number

A single character indicating the version of CCPA.

Opt-out shown

Y, N, -

The site visitor has been provided a notice to opt-out of the sale of personal data according to 1798.120 and 1798.135 of the CCPA.

Opt-out status

Y, N, -

Indicates if the site visitor has opted-out of the sale of data.

LSPA

Y, N, -

Indicates if the publisher is a signatory to the IAB Limited Service Provider Agreement (LSPA) and the publisher declares that the transaction is covered as a “Covered Opt-Out Transaction” or a “Non Opt-Out Transaction” as those terms are defined in the Agreement.

The string consists of four digits: an integer and three Y/N boolean values. Hypens are used if the string is not applicable in the particular geolocation that the user is visiting from. Below are several examples of the privacy string with descriptions of each digit.

privacy_string_1.png

It is mandatory to specify the geolocation in which the IAB CCPA framework will be applicable. The options are as follows:

  • All (Global)

  • US (United States Only)

  • CA (California Only)

If the user is located outside of the specified geolocation, the value of the usprivacy string includes hypens (1---) indicating the IAB CCPA framework is not applicable in that user’s area.

euconsent-v2

Used to store IAB TCF v2 preferences if the consent policy setting Set Global EU Consent is enabled in Geolocation Rules.

set_eu_global_consent_disabled.png

Note

Support for IAB Global scope is deprecated in version 6.22. This deprecation enhances compliance with IAB TCF 2.0 requirements. If you previously had global scope enabled, it has been disabled and you should re-publish any domain scripts.

eupubconsent-v2

Used to store IAB TCF v2 preferences. Because the IAB global scope is deprecated, Set Global EU Consent has been disabled. This will be a first party cookie and the OptanonConsent cookie’s isIABGlobal value will be set to false. The cookie’s lifespan is one year by default.

The cookie value is an encoded consent string that vendors registered with the IAB framework can read to determine users’ consent. The size of this string can impact performance on your site if it gets too large, so it is recommended that you only enable ad tech vendors that you’re working with in your IAB Vendor List.

For more information on managing your IAB Global Vendor List, see Managing the IAB TCF Global Vendor List.

For more information on eupubconsent-v2, see IAB TCF 2.0 Consent String.

The string containing the vendors can be decoded using tools such as an IAB Decoder .

OTAdditionalConsentString

This cookie drops on the browser when Google Additional Consent mode is enabled within a template. For more information, see Using Google Additional Consent.

The additional consent (AC) string is stored in this first party cookie. The AC String is comprised of the following:

  1. Part 1: A specification version number, such as "1";

  2. Part 2: A separator symbol "~"

  3. Part 3: A dot-separated list of user-consented Google Ad Tech Provider (ATP) IDs. Example: "1~1.35.41.101"

The expiration of the cookie is the same as the OneTrust cookies and also depends on the re-consent frequency defined in the associated geolocation rule.

For example, the AC string "1~1.35.41.101" means that the site visitor has consented to Google ATP Vendors with IDs 1, 35, 41 and 101, and the string is created using the format defined in the v1.0 specification

Note

The size of this cookie can impact site performance if it becomes too large so it is recommended to only enable vendors that you are actively working with.

OneTrustWPCCPAGoogleOptOut

The cookie is set based on user consent from the otCCPAiab.js. This cookie has a value of true or false, based on if the user opts in or out of the otCCPAiab associated category.

  • If user has opted out of cookie category associated with IAB CCPA, the cookie value is set to true.

  • If the user has opted in to the cookie category associated with IAB CCPA, the cookie value is set to false.

This cookie is only set when the script src is the Google Ad Manager URL, which is the default script for IAB CCPA implementation. More information is available here.

For more information, see IAB CCPA: Configuring the US Privacy String with Cookie Consent.

OTGPPConsent

This cookie is dropped when the GPP (Global Privacy Platform) feature is configured for a template within its geolocation rule group.

The GPP feature is available from version 202302.1.0 and onwards. The OTGPPConsent cookie is dropped when test/production scripts are published with version 202302.1.0 and onwards.

The value of OTGPPConsent can be decoded using tool such as an IAB GPP decoder.

For more information, see Configuring the Global Privacy Platform Settings and Global Privacy Platform: Detailed Overview.

_cfduid Cookie

This cookie isn’t written by OneTrust, but it is included with our script. Description from Cookiepedia:

Cookie associated with sites using CloudFlare, used to speed up page load times. According to CloudFlare it is used to override any security restrictions based on the IP address the visitor is coming from. It does not contain any user identification information.

Note

This cookie has been deprecated by CloudFlare. For more information, see Deprecating the __cfduid Cookie. You can confirm this by viewing the cookies set on a site with a OneTrust CDN. If you are still seeing this cookie within your tenant and/or in a live cookie list, rescan the domain(s) to which the cookie belongs. The cookie should no longer be picked up in a scan.

 

Powered by